I am writing a low memory/cpu/bandwidth CMS php/mysql program to be open source.

In the process I want to make it as safe as possible but I realize that shared hosting and some vps systems can make intial security ideas not viable. So I would like to ask you about your usual system setups and how hard it is for the users to do certain things.

I assume you do not allow shell for shared, but maybe vps. Do you allow a customer to easily password protect a directory? What about mod_rewrite as a option for them?

As far as httpd.conf changes such as wildcard characters before domain names, is that something that would not be an issue for you in 'normal' environments? And of course alias folders too.

What about the ability for the client to add a non-html folder to use? In other words client's html folder is
/var/www/client1/htdocs and ability to add

Most of this is basic stuff, but I remember in the old days that shared hosts seldom allowed things like this.

It is not so much the program will need it, but there are some extras I can program in for them if these is a normal access or requestable items. And as far as securing the program I would instruct them where to put many things that protect configs and uploaded images and such.

so, just wondering.